Yahoo! security: are there any lights on?

Michael Rathbun mdr at
Fri Jul 5 02:12:52 UTC 2013

Y! is haemorrhaging PII to me and I cannot figure out how to make it stop. 

I have an ancient three-letter account (you can easily guess what the three
letters are) and hundreds of people have somehow been led to believe that
they own and control it, to the point of associating it with their own
accounts, using it as a CC in their communication with their attorneys,
banks, spouses and other ... persons.

Today during our traditional early-morning July 4 breakfast cookout I got
an SMS message, purportedly from Y!, that "We detected unusual activity on
the network. Log in to from the web to unlock your account." This
was an out-of-the-blue first event, but there was no mechanism in the
message to do anything dangerous.

When back at home, logging in to Y! involved additional authentication
steps and a mandatory password change.  Fair enough.  No sign of account
access from anywhere unusual. The password change event was sent to the
correct linked external accounts.

But then, a new and interesting barrage of mail started coming in,
indicating that, as suspected, the account associations were indeed being
effected without any involvement of myself.  

For instance:

>Hi Vince,
>We detected a login attempt with valid password to your Yahoo! account ([munged by me, but not by Y!]) from an unrecognized device on Thu, Jul 4, 2013 3:56 PM VET.
>Location: Venezuela (IP=
>Note: The location is based on information from your Internet service or wireless carrier provider.
>Was this you? If so, you can disregard the rest of this email.

(This is interesting and, perhaps, encouraging -- that's one of the addresses I've recently seen in compromised Y! account spam

I have never yet succeeded in contacting a live body at Y!.  Does anyone
know whether the lights are even on, let alone anybody being home?

         "There are no laws here, only agreements."  
                -- Masahiko

More information about the NANOG mailing list